My previous blog article was intended to highlight two new features observed in a number of phishing kits that held the aim of making the lives of security analysts more difficult. I want to now focus my attention on another trick that has been used in phishing kits in order to protect the attack against a technique called "dilution." Dilution is a method of providing a certain amount of false credentials, names, account numbers, and other personal information to a phishing website. With this technique, real credentials are diluted in a sea of false data, making the fraudster's job harder.
There are several different kinds of dilution strategies, classified by the type of data provided to the phishing site:
• Random Data: a large amount of random unformatted data is submitted. This strategy attempts to fill up the collection point, but has a drawback in that the fraudsters can easily identify fake data.
• Properly Formatted Data: a large amount of properly formatted data is submitted. This process avoids the drawback of the first dilution type, but still fills up the collection point.
• Tag Data: this time, the fake data submitted is indeed valid and accepted by the institution's website. The injection of this data allows financial institutions to more easily track criminals and gain additional forensic information.
Fraudsters are aware of these techniques and are continuously trying to optimize their attacks and thus their profits. As a proof of concept, shown below is a piece of PHP code revealed from a phishing attack that is intended to check the validity of the credit card number provided by the user according to card number conventions:
Figure 1. Fraudster checks for a valid card number
After performing this check, the fraudster tries validating the card number by using the
Luhn algorithm (figure 2). If both conditions are met (the card number appears to be correct and the Luhn algorithm is verified) the information is delivered to the drop box. This approach makes the Random Data Dilution strategy described above useless, because invalid data won't be accepted.
Figure 2. Fraudster using the Luhn algorithm
Even if Random Data Dilution is useless against phishing sites implementing the tricks described above, the Properly Formatted Data Dilution continues to work because the provided data passes both tests described above and is correctly delivered to drop boxes. However, we have recently observed some phishing kits implementing a new feature that helps fraudsters fight against even the Properly Formatted Data Dilution strategy. The piece of code in figure 3 (below) shows one of these tricks, which checks to see if the credentials provided by the user are indeed valid. It has been implemented by submitting the credentials to the original website and then identifying specific patterns in the response page in order to verify their validity. Only after this validation step is other information requested-such as credit card numbers, cvv2/cvc2 codes, or sometimes even the entire battleship card-and if provided, then delivered to the fraudster's drop box.
Figure 3. User credentials validation
This technique actually makes the second type of dilution ineffective, because fake credentials, even if properly formatted, are no longer accepted. So far, the evidence collected demonstrates how some dilutions techniques may be avoided through the validation of both the card number and the credentials provided. However, "tag data" is a very efficient strategy, allowing financial institutions to more efficiently monitor and identify fraudulent activities. By using this means of detection, and once the source of the attacker is known, organizations can correlate this information with login records in order to identify other compromised accounts and take reactive countermeasures in order to prevent the loss of money in a much more efficient way.
Message Edited by SR Blog Moderator on 10-27-2008 11:05 AM